Refactor usage of GroovySandbox

jenkinsci · Sep 18, 2020 · f2592bf · f2592bf
1 parent 0592602
commit f2592bf
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 26 deletions.
diff --git a/...in/src/main/java/io/jenkins/plugins/analysis/warnings/groovy/GroovyExpressionMatcher.java b/...in/src/main/java/io/jenkins/plugins/analysis/warnings/groovy/GroovyExpressionMatcher.java
@@ -15,11 +15,13 @@
 import groovy.lang.GroovyShell;
 import groovy.lang.Script;
 
-import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox;
-
 /**
  * Creates a warning based on a regular expression match and groovy script.
  *
+ * This class does not use any sandboxing mechanisms to parse or run the Groovy
+ * script. Instead, only users with Overall/Run Scripts permission are able to
+ * configure parsers that use custom Groovy scripts.
+ *
  * @author Ullrich Hafner
  */
 class GroovyExpressionMatcher implements Serializable {
@@ -62,8 +64,7 @@ private boolean compileScriptIfNotYetDone() {
      */
     public Script compile() throws CompilationFailedException {
         Binding binding = new Binding();
-        GroovyShell shell = new GroovyShell(GroovySandbox.createSecureClassLoader(GroovyExpressionMatcher.class.getClassLoader()),
-                binding, GroovySandbox.createSecureCompilerConfiguration());
+        GroovyShell shell = new GroovyShell(GroovyExpressionMatcher.class.getClassLoader(), binding);
         return shell.parse(script);
     }
 

diff --git a/plugin/src/test/java/io/jenkins/plugins/analysis/warnings/groovy/GroovyParserTest.java b/plugin/src/test/java/io/jenkins/plugins/analysis/warnings/groovy/GroovyParserTest.java
@@ -156,28 +156,6 @@ void shouldAcceptMultiLineRegularExpression() {
                 toString("multiline.groovy"))).isOk();
     }
 
-    @Test @Issue("SECURITY-1295")
-    void blockASTTest() {
-        DescriptorImpl descriptor = createDescriptor();
-
-        assertThat(descriptor.doCheckScript("import groovy.transform.*\n"
-                + "import jenkins.model.Jenkins\n"
-                + "import hudson.model.FreeStyleProject\n"
-                + "@ASTTest(value={ assert Jenkins.getInstance().createProject(FreeStyleProject.class, \"should-not-exist\") })\n"
-                + "@Field int x\n"
-                + "echo 'hello'\n"))
-                .isError()
-                .hasMessageContaining("Annotation ASTTest cannot be used in the sandbox");
-    }
-
-    @Test @Issue("SECURITY-1295")
-    void blockGrab() {
-        DescriptorImpl descriptor = createDescriptor();
-        assertThat(descriptor.doCheckScript("@Grab(group='foo', module='bar', version='1.0')\ndef foo\n"))
-                .isError()
-                .hasMessageContaining("Annotation Grab cannot be used in the sandbox");
-    }
-
     private DescriptorImpl createDescriptor() {
         return createDescriptor(createJenkinsFacade());
     }